algif_aead.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * algif_aead: User-space interface for AEAD algorithms
  4. *
  5. * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
  6. *
  7. * This file provides the user-space API for AEAD ciphers.
  8. *
  9. * The following concept of the memory management is used:
  10. *
  11. * The kernel maintains two SGLs, the TX SGL and the RX SGL. The TX SGL is
  12. * filled by user space with the data submitted via sendmsg (maybe with
  13. * MSG_SPLICE_PAGES). Filling up the TX SGL does not cause a crypto operation
  14. * -- the data will only be tracked by the kernel. Upon receipt of one recvmsg
  15. * call, the caller must provide a buffer which is tracked with the RX SGL.
  16. *
  17. * During the processing of the recvmsg operation, the cipher request is
  18. * allocated and prepared. As part of the recvmsg operation, the processed
  19. * TX buffers are extracted from the TX SGL into a separate SGL.
  20. *
  21. * After the completion of the crypto operation, the RX SGL and the cipher
  22. * request is released. The extracted TX SGL parts are released together with
  23. * the RX SGL release.
  24. */
  25. #include <crypto/internal/aead.h>
  26. #include <crypto/scatterwalk.h>
  27. #include <crypto/if_alg.h>
  28. #include <linux/init.h>
  29. #include <linux/list.h>
  30. #include <linux/kernel.h>
  31. #include <linux/mm.h>
  32. #include <linux/module.h>
  33. #include <linux/net.h>
  34. #include <net/sock.h>
  35. static inline bool aead_sufficient_data(struct sock *sk)
  36. {
  37. struct alg_sock *ask = alg_sk(sk);
  38. struct sock *psk = ask->parent;
  39. struct alg_sock *pask = alg_sk(psk);
  40. struct af_alg_ctx *ctx = ask->private;
  41. struct crypto_aead *tfm = pask->private;
  42. unsigned int as = crypto_aead_authsize(tfm);
  43. /*
  44. * The minimum amount of memory needed for an AEAD cipher is
  45. * the AAD and in case of decryption the tag.
  46. */
  47. return ctx->used >= ctx->aead_assoclen + (ctx->enc ? 0 : as);
  48. }
  49. static int aead_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
  50. {
  51. struct sock *sk = sock->sk;
  52. struct alg_sock *ask = alg_sk(sk);
  53. struct sock *psk = ask->parent;
  54. struct alg_sock *pask = alg_sk(psk);
  55. struct crypto_aead *tfm = pask->private;
  56. unsigned int ivsize = crypto_aead_ivsize(tfm);
  57. return af_alg_sendmsg(sock, msg, size, ivsize);
  58. }
  59. static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
  60. size_t ignored, int flags)
  61. {
  62. struct sock *sk = sock->sk;
  63. struct alg_sock *ask = alg_sk(sk);
  64. struct sock *psk = ask->parent;
  65. struct alg_sock *pask = alg_sk(psk);
  66. struct af_alg_ctx *ctx = ask->private;
  67. struct crypto_aead *tfm = pask->private;
  68. unsigned int as = crypto_aead_authsize(tfm);
  69. struct af_alg_async_req *areq;
  70. struct scatterlist *rsgl_src, *tsgl_src = NULL;
  71. int err = 0;
  72. size_t used = 0; /* [in] TX bufs to be en/decrypted */
  73. size_t outlen = 0; /* [out] RX bufs produced by kernel */
  74. size_t usedpages = 0; /* [in] RX bufs to be used from user */
  75. size_t processed = 0; /* [in] TX bufs to be consumed */
  76. if (!ctx->init || ctx->more) {
  77. err = af_alg_wait_for_data(sk, flags, 0);
  78. if (err)
  79. return err;
  80. }
  81. /*
  82. * Data length provided by caller via sendmsg that has not yet been
  83. * processed.
  84. */
  85. used = ctx->used;
  86. /*
  87. * Make sure sufficient data is present -- note, the same check is also
  88. * present in sendmsg. The checks in sendmsg shall provide an
  89. * information to the data sender that something is wrong, but they are
  90. * irrelevant to maintain the kernel integrity. We need this check
  91. * here too in case user space decides to not honor the error message
  92. * in sendmsg and still call recvmsg. This check here protects the
  93. * kernel integrity.
  94. */
  95. if (!aead_sufficient_data(sk))
  96. return -EINVAL;
  97. /*
  98. * Calculate the minimum output buffer size holding the result of the
  99. * cipher operation. When encrypting data, the receiving buffer is
  100. * larger by the tag length compared to the input buffer as the
  101. * encryption operation generates the tag. For decryption, the input
  102. * buffer provides the tag which is consumed resulting in only the
  103. * plaintext without a buffer for the tag returned to the caller.
  104. */
  105. if (ctx->enc)
  106. outlen = used + as;
  107. else
  108. outlen = used - as;
  109. /*
  110. * The cipher operation input data is reduced by the associated data
  111. * length as this data is processed separately later on.
  112. */
  113. used -= ctx->aead_assoclen;
  114. /* Allocate cipher request for current operation. */
  115. areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
  116. crypto_aead_reqsize(tfm));
  117. if (IS_ERR(areq))
  118. return PTR_ERR(areq);
  119. /* convert iovecs of output buffers into RX SGL */
  120. err = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages);
  121. if (err)
  122. goto free;
  123. /*
  124. * Ensure output buffer is sufficiently large. If the caller provides
  125. * less buffer space, only use the relative required input size. This
  126. * allows AIO operation where the caller sent all data to be processed
  127. * and the AIO operation performs the operation on the different chunks
  128. * of the input data.
  129. */
  130. if (usedpages < outlen) {
  131. size_t less = outlen - usedpages;
  132. if (used < less + (ctx->enc ? 0 : as)) {
  133. err = -EINVAL;
  134. goto free;
  135. }
  136. used -= less;
  137. outlen -= less;
  138. }
  139. /*
  140. * Create a per request TX SGL for this request which tracks the
  141. * SG entries from the global TX SGL.
  142. */
  143. processed = used + ctx->aead_assoclen;
  144. areq->tsgl_entries = af_alg_count_tsgl(sk, processed);
  145. if (!areq->tsgl_entries)
  146. areq->tsgl_entries = 1;
  147. areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
  148. areq->tsgl_entries),
  149. GFP_KERNEL);
  150. if (!areq->tsgl) {
  151. err = -ENOMEM;
  152. goto free;
  153. }
  154. sg_init_table(areq->tsgl, areq->tsgl_entries);
  155. af_alg_pull_tsgl(sk, processed, areq->tsgl);
  156. tsgl_src = areq->tsgl;
  157. /*
  158. * Copy of AAD from source to destination
  159. *
  160. * The AAD is copied to the destination buffer without change. Even
  161. * when user space uses an in-place cipher operation, the kernel
  162. * will copy the data as it does not see whether such in-place operation
  163. * is initiated.
  164. */
  165. /* Use the RX SGL as source (and destination) for crypto op. */
  166. rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
  167. memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
  168. /* Initialize the crypto operation */
  169. aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
  170. areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
  171. aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
  172. aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
  173. if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) {
  174. /* AIO operation */
  175. sock_hold(sk);
  176. areq->iocb = msg->msg_iocb;
  177. /* Remember output size that will be generated. */
  178. areq->outlen = outlen;
  179. aead_request_set_callback(&areq->cra_u.aead_req,
  180. CRYPTO_TFM_REQ_MAY_SLEEP,
  181. af_alg_async_cb, areq);
  182. err = ctx->enc ? crypto_aead_encrypt(&areq->cra_u.aead_req) :
  183. crypto_aead_decrypt(&areq->cra_u.aead_req);
  184. /* AIO operation in progress */
  185. if (err == -EINPROGRESS)
  186. return -EIOCBQUEUED;
  187. sock_put(sk);
  188. } else {
  189. /* Synchronous operation */
  190. aead_request_set_callback(&areq->cra_u.aead_req,
  191. CRYPTO_TFM_REQ_MAY_SLEEP |
  192. CRYPTO_TFM_REQ_MAY_BACKLOG,
  193. crypto_req_done, &ctx->wait);
  194. err = crypto_wait_req(ctx->enc ?
  195. crypto_aead_encrypt(&areq->cra_u.aead_req) :
  196. crypto_aead_decrypt(&areq->cra_u.aead_req),
  197. &ctx->wait);
  198. }
  199. free:
  200. af_alg_free_resources(areq);
  201. return err ? err : outlen;
  202. }
  203. static int aead_recvmsg(struct socket *sock, struct msghdr *msg,
  204. size_t ignored, int flags)
  205. {
  206. struct sock *sk = sock->sk;
  207. int ret = 0;
  208. lock_sock(sk);
  209. while (msg_data_left(msg)) {
  210. int err = _aead_recvmsg(sock, msg, ignored, flags);
  211. /*
  212. * This error covers -EIOCBQUEUED which implies that we can
  213. * only handle one AIO request. If the caller wants to have
  214. * multiple AIO requests in parallel, he must make multiple
  215. * separate AIO calls.
  216. *
  217. * Also return the error if no data has been processed so far.
  218. */
  219. if (err <= 0) {
  220. if (err == -EIOCBQUEUED || err == -EBADMSG || !ret)
  221. ret = err;
  222. goto out;
  223. }
  224. ret += err;
  225. }
  226. out:
  227. af_alg_wmem_wakeup(sk);
  228. release_sock(sk);
  229. return ret;
  230. }
  231. static struct proto_ops algif_aead_ops = {
  232. .family = PF_ALG,
  233. .connect = sock_no_connect,
  234. .socketpair = sock_no_socketpair,
  235. .getname = sock_no_getname,
  236. .ioctl = sock_no_ioctl,
  237. .listen = sock_no_listen,
  238. .shutdown = sock_no_shutdown,
  239. .mmap = sock_no_mmap,
  240. .bind = sock_no_bind,
  241. .accept = sock_no_accept,
  242. .release = af_alg_release,
  243. .sendmsg = aead_sendmsg,
  244. .recvmsg = aead_recvmsg,
  245. .poll = af_alg_poll,
  246. };
  247. static int aead_check_key(struct socket *sock)
  248. {
  249. int err = 0;
  250. struct sock *psk;
  251. struct alg_sock *pask;
  252. struct crypto_aead *tfm;
  253. struct sock *sk = sock->sk;
  254. struct alg_sock *ask = alg_sk(sk);
  255. lock_sock(sk);
  256. if (!atomic_read(&ask->nokey_refcnt))
  257. goto unlock_child;
  258. psk = ask->parent;
  259. pask = alg_sk(ask->parent);
  260. tfm = pask->private;
  261. err = -ENOKEY;
  262. lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
  263. if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
  264. goto unlock;
  265. atomic_dec(&pask->nokey_refcnt);
  266. atomic_set(&ask->nokey_refcnt, 0);
  267. err = 0;
  268. unlock:
  269. release_sock(psk);
  270. unlock_child:
  271. release_sock(sk);
  272. return err;
  273. }
  274. static int aead_sendmsg_nokey(struct socket *sock, struct msghdr *msg,
  275. size_t size)
  276. {
  277. int err;
  278. err = aead_check_key(sock);
  279. if (err)
  280. return err;
  281. return aead_sendmsg(sock, msg, size);
  282. }
  283. static int aead_recvmsg_nokey(struct socket *sock, struct msghdr *msg,
  284. size_t ignored, int flags)
  285. {
  286. int err;
  287. err = aead_check_key(sock);
  288. if (err)
  289. return err;
  290. return aead_recvmsg(sock, msg, ignored, flags);
  291. }
  292. static struct proto_ops algif_aead_ops_nokey = {
  293. .family = PF_ALG,
  294. .connect = sock_no_connect,
  295. .socketpair = sock_no_socketpair,
  296. .getname = sock_no_getname,
  297. .ioctl = sock_no_ioctl,
  298. .listen = sock_no_listen,
  299. .shutdown = sock_no_shutdown,
  300. .mmap = sock_no_mmap,
  301. .bind = sock_no_bind,
  302. .accept = sock_no_accept,
  303. .release = af_alg_release,
  304. .sendmsg = aead_sendmsg_nokey,
  305. .recvmsg = aead_recvmsg_nokey,
  306. .poll = af_alg_poll,
  307. };
  308. static void *aead_bind(const char *name, u32 type, u32 mask)
  309. {
  310. return crypto_alloc_aead(name, type, mask);
  311. }
  312. static void aead_release(void *private)
  313. {
  314. crypto_free_aead(private);
  315. }
  316. static int aead_setauthsize(void *private, unsigned int authsize)
  317. {
  318. return crypto_aead_setauthsize(private, authsize);
  319. }
  320. static int aead_setkey(void *private, const u8 *key, unsigned int keylen)
  321. {
  322. return crypto_aead_setkey(private, key, keylen);
  323. }
  324. static void aead_sock_destruct(struct sock *sk)
  325. {
  326. struct alg_sock *ask = alg_sk(sk);
  327. struct af_alg_ctx *ctx = ask->private;
  328. struct sock *psk = ask->parent;
  329. struct alg_sock *pask = alg_sk(psk);
  330. struct crypto_aead *tfm = pask->private;
  331. unsigned int ivlen = crypto_aead_ivsize(tfm);
  332. af_alg_pull_tsgl(sk, ctx->used, NULL);
  333. sock_kzfree_s(sk, ctx->iv, ivlen);
  334. sock_kfree_s(sk, ctx, ctx->len);
  335. af_alg_release_parent(sk);
  336. }
  337. static int aead_accept_parent_nokey(void *private, struct sock *sk)
  338. {
  339. struct af_alg_ctx *ctx;
  340. struct alg_sock *ask = alg_sk(sk);
  341. struct crypto_aead *tfm = private;
  342. unsigned int len = sizeof(*ctx);
  343. unsigned int ivlen = crypto_aead_ivsize(tfm);
  344. ctx = sock_kmalloc(sk, len, GFP_KERNEL);
  345. if (!ctx)
  346. return -ENOMEM;
  347. memset(ctx, 0, len);
  348. ctx->iv = sock_kmalloc(sk, ivlen, GFP_KERNEL);
  349. if (!ctx->iv) {
  350. sock_kfree_s(sk, ctx, len);
  351. return -ENOMEM;
  352. }
  353. memset(ctx->iv, 0, ivlen);
  354. INIT_LIST_HEAD(&ctx->tsgl_list);
  355. ctx->len = len;
  356. crypto_init_wait(&ctx->wait);
  357. ask->private = ctx;
  358. sk->sk_destruct = aead_sock_destruct;
  359. return 0;
  360. }
  361. static int aead_accept_parent(void *private, struct sock *sk)
  362. {
  363. struct crypto_aead *tfm = private;
  364. if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
  365. return -ENOKEY;
  366. return aead_accept_parent_nokey(private, sk);
  367. }
  368. static const struct af_alg_type algif_type_aead = {
  369. .bind = aead_bind,
  370. .release = aead_release,
  371. .setkey = aead_setkey,
  372. .setauthsize = aead_setauthsize,
  373. .accept = aead_accept_parent,
  374. .accept_nokey = aead_accept_parent_nokey,
  375. .ops = &algif_aead_ops,
  376. .ops_nokey = &algif_aead_ops_nokey,
  377. .name = "aead",
  378. .owner = THIS_MODULE
  379. };
  380. static int __init algif_aead_init(void)
  381. {
  382. return af_alg_register_type(&algif_type_aead);
  383. }
  384. static void __exit algif_aead_exit(void)
  385. {
  386. int err = af_alg_unregister_type(&algif_type_aead);
  387. BUG_ON(err);
  388. }
  389. module_init(algif_aead_init);
  390. module_exit(algif_aead_exit);
  391. MODULE_LICENSE("GPL");
  392. MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
  393. MODULE_DESCRIPTION("AEAD kernel crypto API user space interface");